[原文]Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.

HP Security Bulletin HPSBOV02683 SSRT090208 - Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running Apache and PHP. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications. Revision 1 of this advisory.

-
漏洞描述

Apache contains a flaw that may allow a remote denial of service. The issue is triggered when a malicious user sends a "Content-Length:" header that contains a large negative value through the mod_proxy module, and will result in loss of availability for the service.

-
时间线

公开日期:
2004-06-10

发现日期:
Unknow

利用日期:2004-06-10

解决日期:Unknow

-
解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apache has released a patch to address this vulnerability.

-
漏洞讨论

A remote buffer overflow vulnerability exists in Apache mod_proxy.

The source of this issue is that a negative user-specified length value may be used in a memory copy operation, allowing for corruption of memory. This may triggered if a remote server returns a negative Content-Length: HTTP header field to be passed through the proxy.

Exploitation will likely result in a denial of service, though there is an unconfirmed potential for execution of arbitrary code on some platforms (such as BSD implementations). Versions that have the optional AP_ENABLE_EXCEPTION_HOOK define enabled may also be exploitable on some platforms.

This issue affects Apache servers 1.3.26 through 1.3.32 that have mod_proxy enabled and configured. Apache 2.0.x releases are not affected by this issue.

-
漏洞利用

A denial of service proof-of-concept script has been published at the following location:

http://www.guninski.com/modproxy1.html

-
解决方案

Updates are available. Please see the references for more information.